MITRE ATT&CK: Disk content wipe
Classic moves, no matter what the subject matter is, are timeless. Be it the hook shot in basketball, the uppercut in boxing or the pirouette in ballet, these are moves that you remember for the subject matter.
Believe it or not, hacker attack techniques are no different. Aside from the outright theft of information, gaining access to a system and wiping all or a portion of a disk is as classic as the moves listed above and definitely just as timeless. It’s funny how even though technology has changed over the years, some hacker objectives are just as applicable today as they were when hacking was in its infancy.
This article will detail the disk content wipe availability technique that is enumerated in the MITRE ATT&CK matrix. We will explore the attack matrix, the disk content wipe, a little about how the attack works and real-world examples, as well as mitigation and detection considerations.
What is MITRE ATT&CK?
MITRE is a not-for-profit corporation dedicated to solving problems for a safer world. Beginning as a systems engineering company in 1958, MITRE has added new technical and organization capabilities to its knowledge base — including cybersecurity.
To this end, MITRE released the MITRE ATT&CK list as a globally accessible knowledge base of adversary techniques and tactics based on real-world observations. This information can then be used as the basis for the foundation of the development of threat models and methodologies for cybersecurity product/service community, the private sector and government use.
More information on the MITRE ATT&CK matrix can be found here.
What is a disk content wipe?
As the name suggests, a disk content wipe means erasing the contents of a disk entirely or partially. This is an easy enough concept to grasp but to fully understand why this technique is still used today, it boils down to the impact group that disk content wipe belongs to — availability. Attackers use availability techniques to deny information and target system and network resources to legitimate users.
There are different reasons for this attack technique, but the result is always the same: a sort of paralysis of the target that can be a setup for other malware, a harbinger for a ransomware attack or simply to send a message. Attackers are known to launch this attack technique against specific, individual systems and large groups of systems on an organization’s network alike.
Attackers use this attack technique to wipe either the entire disk or portions of a disk, sometimes arbitrarily. This is as opposed to wiping particular disk structures or files, which is a different attack technique altogether. Disk content wipe is also a distinct technique from data destruction, which focuses on erasing individual files instead.
A little about how disk content wipe works
Attackers have two main methods by which to carry out a disk content wipe attack. The first method is to gain direct access to a hard disk to overwrite arbitrarily sized disk portions with random data. This is the most observed method for carrying out this attack technique which will be explored below. The second method normally used is leveraging third-party, legitimate drivers to gain direct access to a target disk’s contents. An example of a commonly used third-party driver is RawDisk, which allows for direct data modification on a target system’s hard drive.
Sometimes the goal of an attack is causing maximum network-wide availability interruption. In cases like these, adversaries will use malware with worm-like features the leverage other attack techniques like credential dumping, valid accounts, lateral movement and Windows Admin Shares to propagate across the target network.
Real-world examples of disk content wipe
Gaining international attention after it took center stage in the Sony Pictures Entertainment attack, WhiskeyAlfa is a destructive malware family that is designed to destroy the contents of any hard drive attached to an infected system. Used by the Lazarus attack group, there are three variants of this malware, with subsequent versions after version 1 dropping additional malware and targeting specific spreading mechanisms.
After WhiskeyAlfa, new versions of Whiskey have since been introduced with greater malicious capabilities. WhiskeyAlfa has the ability to overwrite a drive’s first 64MB with a mix of random and static buffers. WhiskeyDelta is the latest incarnation and can overwrite 132MB or 1.5MB with random data (heap memory).
Associated with the Iranian attack group APT33, StoneDrill is a type of wiper malware that has been used to carry out disk content wipe attacks against targets. StoneDrill has the capability to wipe accessible drives of infected computers, both physical and logical. This malware can also wipe the master boot record for an extra destructive “good measure.”
This technique can be mitigated by implementing a disaster recovery plan that performs regular data backups for organization data restoration. Backups should not be stored on organization systems and should be protected from common attacker methods to gain access to or destroy said backups. Good disaster recovery plans should use at least a modicum of redundancy in case the worst-case scenario occurs.
There are two ways to detect this attack technique:
- Monitor for read/write to locations storing sensitive information including partition boot sector and BIOS (block or superblock)
- Monitor for suspicious kernel driver installation actions
The disk content wipe attack technique is one of those classic moves that, in a way, sort of embodies cybersecurity attacks as a whole. It uses wiping methods that destroy seemingly arbitrary sectors of drives, or the entirety of drives, with the goal of harmfully impacting availability instead of the data itself. Performing one malicious action to cause another is a pervasive objective within cyberattacks, and disk content wipe is the epitome of this trend.